My Health Records Amendment (Strengthening Privacy) Bill 2018

 
 
My Health Records Amendment (Strengthening Privacy) Bill 2018
BILLS DIGEST NO. 30, 2018–19                                                                                                                          16 OCTOBER 2018

        My Health Records Amendment (Strengthening
        Privacy) Bill 2018
        Owen Griffiths
        Law and Bills Digest Section


        Contents
        Purpose of the Bill ........................................................... 3                     Date introduced: 22 August 2018
        Structure of the Bill ......................................................... 3
                                                                                                              House: House of Representatives
        Background..................................................................... 3
                                                                                                              Portfolio: Health
          From opt-in to opt-out ................................................ 3
                                                                                                              Commencement: The day after the Act
          Authorisation for the use, collection and                                                           receives Royal Assent.
          disclosure .................................................................... 5
          Concerns regarding disclosures for law
          enforcement purposes ................................................ 6
          Government response ................................................ 9                              Links: The links to the Bill, its Explanatory
                                                                                                              Memorandum and second reading speech
        Committee consideration .............................................. 10                             can be found on the Bill’s home page, or
          Senate Community Affairs References Committee .. 10                                                 through the Australian Parliament website.
                                                                                                              When Bills have been passed and have
          Senate Community Affairs Legislation Committee ... 11                                               received Royal Assent, they become Acts,
          Senate Standing Committee for the Scrutiny of                                                       which can be found at the Federal Register
          Bills ............................................................................ 11               of Legislation website.

        Policy position of non-government                                                                     All hyperlinks in this Bills Digest are correct
        parties/independents.................................................... 11                           as at October 2018.
          Australian Labor Party (Labor) .................................. 11
          Australian Greens ...................................................... 12
          Centre Alliance .......................................................... 12
          Australian Conservatives ........................................... 12
          Senator Tim Storer .................................................... 13
        Position of major interest groups................................... 13
        Financial implications .................................................... 15
        Statement of Compatibility with Human Rights.............. 15
          Parliamentary Joint Committee on Human Rights ... 15

ISSN 1328-8091



Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest.
Key issues and provisions .............................................. 15
            Destruction of records ............................................ 15
            Collection, use and disclosure ................................. 16
            Disclosure orders ..................................................... 18
             What agencies can information be disclosed
             to? —‘Designated entities’ .................................... 18
             Grounds for granting access .................................. 19
             Threshold for disclosure to designated entities .... 20
             Judicial officers ...................................................... 21
             Personal capacity and immunity ........................... 21
            Disclosure in relation to unlawful activities ............ 22
        Other provisions ........................................................... 23
        Concluding comments ................................................... 23




My Health Records Amendment (Strengthening Privacy) Bill 2018                                                                                                                  2
Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest.
Purpose of the Bill
        The My Health Records Amendment (Strengthening Privacy) Bill 2018 (Bill) will amend the My
        Health Records Act 2012 (MHR Act) to:
        • remove the authority of the System Operator (the Australian Digital Health Agency or ADHA) to
          disclose the health information in a My Health Record to enforcement agencies or other
          government bodies without a judicial order or the healthcare recipient’s consent (making it
          consistent with the ADHA’s policy position) and
        • require the System Operator to destroy the health information in a healthcare recipient’s
          My Health Record if they cancel their registration.1
        The Bill will also:
        • provide the process for orders of disclosure of My Health Record health information to be
          made by judicial officers to designated entities and
        • provide for the collection, use and disclosure of health information under the specific
          legislation, namely the MHR Act and the legislation associated with Auditor-General, the
          Commonwealth Ombudsman and the Australian Information Commissioner.2

        Structure of the Bill
        The Bill contains one schedule which includes the amendments to the MHR Act and provides for
        the application of the amendments.

        Background
        From opt-in to opt-out
        In 2012, the Personally Controlled Electronic Health Records Act 2012 (PCEHR Act) was passed to
        enable the establishment and operation of the Personally Controlled Electronic Health Record
        (PCEHR) system. The objective of the PCEHR system was to facilitate access to health information
        relating to consumers of healthcare.3 It created an electronic health record system for regulating
        the collection, recording, use and disclosure of the health information of healthcare ‘consumers’.4
        The PCEHR system was a voluntary, or opt-in, system. Eligible consumers could apply to the
        System Operator to be registered in the PCEHR system.5
        The PCEHR Act included a range of privacy and access safeguards for the PCEHR system, but also
        provided for the System Operator to use or disclose the health information included in a
        consumer’s record in some circumstances. These circumstances included if the System Operator
        reasonably believed the disclosure was reasonably necessary for certain things done by, or on
        behalf of, an enforcement body.6




        1.     G Hunt, ‘Second reading speech: My Health Records Amendment (Strengthening Privacy) Bill 2018’, House of Representatives,
               Debates, (proof), 22 August 2018, p. 7. Under section 14 of the PCEHR Act, the System Operator was originally the Secretary
               of the Department of Health (unless the Regulations prescribe another body). In 2016, the Australian Digital Health Agency
               was established and prescribed as the System Operator (see below).
        2.     Explanatory Memorandum, My Health Records Amendment (Strengthening Privacy) Bill 2018, pp. 9–11.
        3.     PCEHR Act, section 3.
        4.     Under section 5 of the PCEHR Act a ‘consumer’ was defined as ‘an individual who has received, receives or may receive
               healthcare’.
        5.     PCEHR Act, sections 39 and 40. However, the ‘authorised representative’ (section 6) or ‘nominated representative’ (section 7)
               of a consumer could also register a consumer with the PCEHR system.
        6.     PCEHR Act, subsection 70(1).



My Health Records Amendment (Strengthening Privacy) Bill 2018                                                                                                                  3
Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest.
In November 2013, a review of the PCEHR system, led by the head of Uniting Care Health
        Queensland Richard Royle, was announced.7 The Review of the Personally Controlled Electronic
        Health Record was released in May 2014.8 It found there was ‘overwhelming support’ for the
        implementation of an electronic health record system, but stated that a ‘change in approach’ was
        needed to correct implementation issues and ‘to review the strategy and role that a shared
        electronic health record plays in a broader system of health care’.9 The recommendations of the
        review included that the PCEHR system should be renamed My Health Record and that the system
        should be transitioned to an opt-out model by 1 January 2015.10
        In 2015, the Health Legislation Amendment (eHealth) Act 2015 was passed. This legislation
        renamed the PCEHR Act to the MHR Act and renamed ‘consumers’ in the legislation as ‘healthcare
        recipients’. It also amended the MHR Act to allow the Minister to provide that an opt-out model
        be applied to all healthcare recipients through changes to the My Health Record Rules.
        In 2016, the Australian Digital Health Agency (ADHA) was established.11 Section 14 of the MHR Act
        provides that the System Operator is the Secretary of the Department of Health or a body
        established by a Commonwealth law that is prescribed under the Regulations. Prior to 1 July 2016,
        the System Operator was the Secretary of the Department of Health. An amendment to the My
        Health Records Regulation 2012 prescribed the ADHA to be the System Operator on 1 July 2016.12
        On 30 November 2017, the Minister made the My Health Records (National Application) Rules
        2017 which applied an opt-out model of registration to My Health Record and specified the period
        in which healthcare recipients could opt-out. The initial period in which healthcare recipients
        could choose to opt-out of the My Health Record system was 16 July 2018 to 15 October 2018.
        This was later extended to 15 November 2018 (see below).
        As part of the 2017–18 Budget, the Department of Health stated:
                  A transition to opt-out participation for My Health Record will bring forward benefits many years sooner
                  than the current opt in arrangements. Opt-out is the fastest way to realise the significant health and
                  economic benefits of My Health Record for all Australians including through avoided hospital
                  admissions, fewer adverse drug events, reduced duplication of tests, better coordination of care for
                  people seeing multiple healthcare providers, and better informed treatment decisions.

                  Opt-out participation is supported by an independent evaluation of two opt-out [trials] undertaken in
                  Northern Queensland and Nepean Blue Mountains Primary Health Network areas. The evaluation
                  showed a high level of support for automatic creation of My Health Records by both healthcare
                                                                                                                         13
                  providers and individuals. Across the two opt-out trial areas, the opt-out rate was just 1.9 per cent…




        7.     P Dutton (Minister for Health), Federal Government to review electronic health records, media release, 3 November 2013.
        8.     P Dutton (Minister for Health), Report into the Personally Controlled Electronic Health Record, media release, 19 May 2014.
        9.     R Royle, Review of the Personally Controlled Electronic Health Record, [Department of Health], [Canberra], December 2013,
               p. 13.
        10.    Ibid., p. 16.
        11.    Public Governance, Performance and Accountability (Establishing the Australian Digital Health Agency) Rule 2016.
        12.    My Health Records Amendment (System Operator) Regulation 2016.
        13.    Department of Health (DoH), Budget 2017–18: My Health Record – continuation and expansion, Fact sheet, DoH, Canberra,
               9 May 2017.



My Health Records Amendment (Strengthening Privacy) Bill 2018                                                                                                                  4
Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest.
Authorisation for the use, collection and disclosure
        The MHR Act establishes a complex regulatory framework for the use, collection and disclosure of
        the health information included in a healthcare recipient’s My Health Record. A person or
        organisation can only collect, use or disclose the health information in a healthcare recipient’s My
        Health Record if they are authorised to do so by the MHR Act. For example, healthcare recipients
        themselves are authorised to collect, use and disclose, for any purpose, the health information
        included in their own My Health Record.14
        Participants in the My Health Record system, such as registered healthcare providers, have a range
        of authorisations to collect, use or disclose the health information in a healthcare recipient’s My
        Health Record.15 These include, for example, collection, use and disclosure of health information
        for the purpose of providing healthcare to the registered healthcare recipient (in accordance with
        the access controls set by the healthcare recipient).16
        Additionally, under the MHR Act the System Operator (the ADHA) has a number of authorisations
        to disclose or use the health information contained in a My Health Record in certain
        circumstances. These include to:
        • disclose information if ordered to do so by a court or tribunal if the proceedings relate to the
          MHR Act, unauthorised access to information in the My Health Record system or healthcare
          provider indemnity cover, or with the consent of the consumer (subsections 69(1) and (4)) and
        • disclose information if ordered or directed by a coroner (subsection 69(2)).
        In particular, section 70 is titled Disclosure for law enforcement purposes, etc. Subsection 70(1)
        provides that the System Operator is authorised ‘to use or disclose’ the health information
        included in a healthcare recipient’s My Health Record if the System Operator ‘reasonably believes
        that the use or disclosure is reasonably necessary for one or more of the following things done by,
        or on behalf of, an enforcement body’. These are:
        • the prevention, detection, investigation, prosecution or punishment of criminal offences,
          breaches of a law imposing a penalty or sanction or breaches of a prescribed law
        • the enforcement of laws relating to the confiscation of the proceeds of crime
        • the protection of the public revenue
        • the prevention, detection, investigation or remedying of seriously improper conduct or
          prescribed conduct and
        • the preparation for, or conduct of, proceedings before any court or tribunal, or implementation
          of the orders of a court or tribunal.
        Subsection 70(2) clarifies that as far as subsection 70(1) relates to the last point regarding the
        proceedings or orders of courts and tribunals, it is subject to section 69 which (as noted above)
        provides for these disclosures.
        Subsection 70(3) provides for the use or disclose of My Health Record health information if the
        System Operator ‘has reason to suspect unlawful activity’ which relates to the System Operator’s

        14. MHR Act, section 67.
        15. A participant in the My Health Record system is defined in the MHR Act as meaning: the System Operator, a registered
            healthcare provider organisation, the operator of the National Repositories Service, a registered repository operator, a
            registered portal operator and a registered contracted service provider, so far as the contracted service provider provides
            services to a registered healthcare provider (section 5 of the MHR Act).
        16. MHR Act, section 61.



My Health Records Amendment (Strengthening Privacy) Bill 2018                                                                                                                  5
Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest.
functions and ‘reasonably believes’ use or disclosure is necessary ‘for the purposes of an
        investigation of the matter or in reporting concerns to relevant persons or authorities’.
        The listed ‘enforcement purposes’ in subsection 70(1) which provide for when the System
        Operator may use or disclose My Health Record health information reflect, but do not replicate,
        the factors in Australian Privacy Principles (APP) 6.2(e) which restrict the use or disclosure of
        personal information by APP entities17 under the Privacy Act 1988 (Privacy Act).18 Provisions which
        permit the use and disclosure of information and/or documents for ‘enforcement’ reasons exist in
        a range of other Commonwealth legislation.19

        Concerns regarding disclosures for law enforcement purposes
        The potential privacy risks associated with the development of a national electronic health record
        system have led a range of concerns being expressed, including in relation to access by law
        enforcement agencies to the stored health information. For example, in 2011, the Privacy Impact
        Assessment regarding the proposed PCEHR system undertaken by Minter Ellison Lawyers for the
        Department of Health and Ageing noted that the system would be ‘an attractive source of data’
        for several groups including law enforcement agencies. It stated:
                  The extent to which the PCEHR is seen as a 'honeypot' of data for insurance companies and law
                  enforcement agencies may impact on the degree of confidence placed in the PCEHR system by
                             20
                  consumers.

        Trials of the opt-out My Health Record model were conducted in 2016. The key finding of the
        evaluation report feedback regarding the confidentiality and security of the My Health Record
        system was positive:
                  Once the benefits of the My Health Record system were clear, nearly all focus group participants said
                  that their concerns about security and privacy, or about the fact that a My Health Record had been
                  created, disappeared. They most often said that, while they thought that no computer-based systems
                  were totally safe, on balance they thought that the benefits to them, their families and the health
                                                      21
                  system far outweighed those risks…

        There were also indications that law enforcement access to the health information in the My
        Health Record system could raise concerns. The evaluation report included:
                  Concerns about confidentiality and security were expressed more often in the focus group in Mapoon…
                  Questions and concerns were also raised by this group regarding law enforcement agencies having
                  access to the My Health Record system. After clarifying that, as a personally-controlled record, they
                  could set their own privacy settings and also access alerts and logs that detailed which healthcare


        17. Under the Privacy Act, an APP entity is an organisation or agency obliged to comply with the Australian Privacy Principles
            (APP) (see sections 6, 6C and 15).
        18. While under subsection 70(1) of the MHR Act the use or disclosure of health information can be for ‘one or more of the
            following things done by, or on behalf of, an enforcement body’, under APP 6.2(e) the use or disclosure of personal
            information can be for ‘for one or more enforcement related activities conducted by, or on behalf of, an enforcement body’.
            The meanings in the definition of enforcement related activities in the Privacy Act differs from the ‘things done by’ an
            enforcement body in subsection 70(1) MHR Act. In the Privacy Act, enforcement related activities also includes ‘the conduct
            of surveillance activities, intelligence gathering activities or monitoring activities’, ‘the conduct of protective or custodial
            activities’ and extends to ‘the prevention, detection, investigation or remedying of misconduct of a serious nature, or other
            conduct prescribed by the regulations’.
        19. See, for example: section 504, Fair Work Act 2009; section 149, Work Health and Safety Act 2011; paragraph 86-3(1)(h), Aged
            Care Act 1997; subsection 90K(5), Australian Postal Corporation Act 1989; section 38, Dental Benefits Act 2008; section 111,
            Australian Jobs Act 2013; section 55, Clean Energy Regulator Act 2011; section 21, Student Identifiers Act 2014.
        20. Minter Ellison Lawyers, Privacy impact assessment report: Personally Controlled Electronic Health Record (PCEHR), report
            prepared for the Department of Health and Ageing, 15 November 2011, p. 85.
        21. Siggins Miller [a firm], Evaluation of the participation trials for the My Health Record, Final report, [Sydney], November 2016,
            p. vi.



My Health Records Amendment (Strengthening Privacy) Bill 2018                                                                                                                  6
Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest.
providers had recently accessed the My Health Record, half the participants were satisfied with the level
                  of security and ability of the My Health Record to keep their information confidential, while the other
                                                 22
                  half remained sceptical [sic].

        In 2016, legal academics, Danuta Medelson and Gabrielle Wolf analysed the My Health Record
        system and the MHR Act in the context of the change to the opt-out model. They stated:
                  Not only has the system failed to fulfil its statutory objectives, but it permits the wide dissemination of
                  information that historically has been confined to the therapeutic relationship between patient and
                  health practitioner. After considering several other purposes for which the system is apparently
                  designed, and who stands to benefit from it, we conclude that the government risks losing the trust of
                  Australians in its electronic health care policies unless it reveals all of its objectives and obtains patients'
                                                                             23
                  consent to the use and disclosure of their information.

        They noted:
                  Circumstances and purposes articulated in the statute include provision of information captured by the
                  My Health Record system to courts and tribunals, as well as use of this information for law enforcement
                  purposes. Although other uses of this information and their scope are yet to be explicitly revealed, it is
                  clear that information previously considered to be within the private domain of individuals and under
                  the control of their chosen health providers is being reconceptualised as shared data about individuals,
                                                                                                24
                  to be collected, distributed and managed by government and private entities.

        On 7 June 2018, Leanne Wells, the Chief Executive Officer of the Consumers Health Forum of
        Australia, published an article considering the pros and cons of the My Health Record system,
        including potential access to health information by law enforcement and government agencies.
        She stated:
                  The Government and/or ADHA needs to be transparent with the public about the policies and
                  procedures they have in place around access to My Health Record information by law enforcement and
                                                                                                                   25
                  other government agencies, and consider whether changes to guidelines or legislation are needed.

        The My Health Record opt-out period commenced on 16 July 2018.26 This event prompted public
        discussion regarding the merits of the My Health Record system for healthcare recipients.27 Part of
        this public debate focused on the provision in the MHR Act for disclosure by the System Operator
        for law enforcement purposes.28 On 16 July 2018, the ABC published an article with Tim Kelsey,
        the head of the ADHA, concerning My Health Record which included questions in relation to the
        rules and policies which guide the ADHA's decision to grant access to law enforcement.29 It stated:
                  Which rules and policies guide the ADHA's decision to grant access to law enforcement?

                  The ADHA is authorised by law to disclose someone's health information if it "reasonably believes" it's
                  necessary for preventing or investigating crimes and protecting the public revenue, among other things
                  specified under section 70 of the My Health Records Act.



        22. Ibid., p. 88.
        23. D Mendelson and G Wolf, ‘My [electronic] health record - cui bono (for whose benefit)?’, Journal of Law and Medicine, 24(2),
            2016, p. 283.
        24. Ibid., p. 286 (emphasis in original).
        25. L Wells, ‘An important overview of the pros, cons and questions about My Health Record’, Croakey, 7 June 2018.
        26. ADHA, My Health Record – Australians to decide on a smarter and safer way to share their important healthcare information,
            media release, 16 July 2018.
        27. For example, D Vaile, B Arnold, K Kemp, ‘My Health Record: the case for opting out’, The Conversation, 16 July 2018.
        28. For example, B Grubb, ‘The digital health record is a bad idea. I'm opting out, and you should too’, The Age, 17 July 2018.
        29. A Bogle, ‘My Health Record: your questions answered on cybersecurity, police and privacy’, ABC News, 15 July 2018.



My Health Records Amendment (Strengthening Privacy) Bill 2018                                                                                                                  7
Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest.
The agency was unable to provide a definition of "protecting the public revenue" by deadline.

                  When it receives a law enforcement request, the ADHA will need to determine that it's a legitimate
                  request from an enforcement body.

                  "While the Agency assesses each formal request on a case by case basis, our operating policy is to
                  release information only where the request is subject to judicial oversight," the ADHA said.

                  "If the access does not support public confidence and trust in the System and the object of the My
                  Health Record Act then the Agency will deny the request."

                  Law enforcement bodies will not be granted direct access to the My Health Record: The ADHA said any
                  disclosure would be limited to what is necessary to satisfy the purpose of the request.

                  Has the ADHA received any requests from law enforcement to access records?

                  Mr Kelsey said no police requests have been received yet.

                  Will users be informed if their data has been released to law enforcement?

                  If personal information is disclosed to law enforcement, the decision about whether to notify the My
                  Health Record holder will be decided "case-by-case".

                  Likewise, healthcare provider organisations won't be informed if their patient's data is accessed.
                                                                                                                              30
                  The release to police will be recorded in a written note and stored by the ADHA.

        On 21 July 2018, the ADHA issued a fact sheet on police access to My Health Record which noted
        that it had received ‘a few enquiries regarding other government departments and law
        enforcement accessing My Health Record’. It stated:
                  The Australia Digital Health Agency has not and will not release any documents without a court/coronial
                  or similar order.

                  No documents have been released in the last six years and none will be released in the future without a
                  court order/coronial or similar order.

                  Additionally, no other Government agencies have direct access to the My Health Record system, other
                                            31
                  than the system operator.

        However, during this period, concerns regarding the potential for disclosures under section 70
        continued to be expressed.32 For example, on 22 July 2018 the former Australian Medical
        Association (AMA) president Professor Kerryn Phelps was reported as saying that allowing police
        access to My Health Record information would undermine trust in the medical profession and the
        health system. She asked:
                  If someone has a cocaine problem, will they want to tell their doctor and seek help if they think it has
                                                                                              33
                  any possibility of being uploaded to a site that can be accessed by police?

        Anna Johnston, a privacy consultant with Salinger Privacy, stated:


        30.    Ibid.
        31.    Australian Digital Health Agency (ADHA), Fact sheet: police access to My Health Record, ADHA, 21 July 2018.
        32.    For example, B Keane, ‘Soon there may be no escape from government and corporate surveillance’, Crikey, 23 July 2018.
        33.    S Dunlevy, ‘Health record at risk of hacking’, The Sunday Telegraph, 22 July 2018, p. 15.



My Health Records Amendment (Strengthening Privacy) Bill 2018                                                                                                                  8
Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest.
While any policy by ADHA to limit the exercise of its powers under the legislation is welcome, the fact
                  remains that the legislation governing the My Health Record does give the operator of the system very
                  wide discretion to release health information about individuals to a wide range of enforcement bodies,
                  which is not just law enforcement agencies like police but also includes the Immigration Department for
                  example…

                  The law allows disclosure not only in response to a court order or warrant, but also under a 'reasonable
                                                                                      34
                  belief' test relating to matters beyond just criminal law offences.

        On 23 July 2018, an entry concerning ‘Law enforcement access to My Health Record data’ was
        published on the Parliamentary Library’s FlagPost, a blog on current issues of interest to members
        of the Australian Parliament.35 This entry also noted that, while it was the policy of the ADHA in
        relation to law enforcement to only release information where requests are subject to judicial
        oversight, ‘it does not appear that the ADHA’s operating policy is supported by any rule or
        regulation’.36
        In light of the public discussion regarding the privacy and security of patient health information
        key medical professional organisations clarified their views on the My Health Record system.37 The
        President-elect of the Royal Australian College of General Practitioners (RACGP) spoke with the
        Minister for Health, Greg Hunt, to discuss ‘strengthening the legislation’s privacy provisions’.38 On
        25 July 2018, the AMA President Dr Tony Bartone called for the Government to provide
        guarantees about the long-term security of the privacy of the My Health Record system which
        could involve ‘examining the legislation’. He stated:
                  [T]here had been a groundswell of concern from AMA members, the broader medical profession, and
                  the public about the 2012 legislation framing the My Health Record, particularly Section 70, which deals
                                                                                          39
                  with the disclosure of health information for law enforcement purposes.

        Government response
        On 31 July 2018, the Minister for Heath, Greg Hunt announced strengthened privacy protections
        would be introduced for the My Health Record system:
                  After constructive discussions with the AMA and RACGP, the Government will strengthen privacy
                  provisions under the My Health Record Act, removing any doubt regarding Labor’s 2012 legislation.

                  Labor’s 2012 My Health Record legislation will be strengthened to match the existing ADHA policy.

                  This policy requires a court order to release any My Health Record information without consent. The
                  amendment will ensure no record can be released to police or government agencies, for any purpose,
                  without a court order.




        34. Stilgherrian, ‘Tens of thousands opt out of My Health Record, but can Immigration and local councils view the rest?’, ZDnet,
            17 July 2018.
        35. N Brew, ‘Law enforcement access to My Health Record data’, FlagPost, Parliamentary Library blog, 26 July 2018. This entry
            was originally uploaded on 23 July 2018.
        36. Ibid. Following feedback from the Department of Health, the FlagPost entry was briefly withdrawn and republished on
            26 July 2018 with additional information. Correspondence between the Department of Health and the Parliamentary Library
            relating to this matter has been released under the Freedom of Information Act 1982 by the Department of Health. These
            documents are available on the Department of Health’s website.
        37. For example, B Grubb, ‘Peak GP body's alleged support for My Health Record called into question’, Crikey, 23 July 2018.
        38. P Hayes, ‘Federal Government agrees to toughen privacy provisions in My Health Record legislation’, newsGP, 26 July 2018.
        39. Australian Medical Association (AMA), Guaranteeing security of the My Health Record, media release, 25 July 2018.



My Health Records Amendment (Strengthening Privacy) Bill 2018                                                                                                                  9
Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest.
The Digital Health Agency’s policy is clear and categorical – no documents have been released in more
                  than six years and no documents will be released without a court order. This will be enshrined in
                  legislation.

                  This change to the My Health Record Act will therefore remove any ambiguity on this matter.

                  In addition, the Government will also amend Labor’s 2012 legislation to ensure if someone wishes to
                  cancel their record they will be able to do so permanently, with their record deleted from the system.

                  The Government will also work with medical leaders on additional communications to the public about
                  the benefits and purpose of the My Health Record, so they can make an informed choice.
                                                                                                                                 40
                  We will be looking to implement and introduce these changes as soon as possible.

        The proposed privacy protections have been positively received by the AMA and the RACGP.41
        At the Council of Australian Governments Health Council meeting on 2 August 2018 jurisdictions
        reaffirmed their support of a national opt-out approach to the My Health Record system. The
        meeting communique stated:
                  Jurisdictions noted clinical advice about the benefits of My Health Record and expressed their strong
                  support for My Health Record to support patient’s health. Ministers acknowledged some concerns in the
                  community and noted actions proposed to provide community confidence, including strengthening
                                                                         42
                  privacy and security provisions of My Health Record.

        On 10 August 2018, the Government confirmed it would extend the opt-out period for My Health
        Record for an extra month to 15 November 2018.43

        Committee consideration
        Senate Community Affairs References Committee
        On 15 August 2018, the Senate Community Affairs References Committee (References Committee)
        was referred an inquiry into the My Health Record system for inquiry and report by
        8 October 2018.44 The terms of reference of the inquiry contain a number of matters relevant to
        the amendments of the Bill, including ‘the arrangements for third party access by law
        enforcement, government agencies, researchers and commercial interests’ and ‘measures that are
        necessary to address community privacy concerns in the My Health Record system’.
        On 12 October 2018, the References Committee sought and received an extension to the
        reporting date of the inquiry to 17 October 2018.
        Further information regarding the inquiry, including the full terms of reference, is available on the
        inquiry homepage.




        40. G Hunt (Minister for Health), Strengthening privacy protections for My Health Record, media release, 31 July 2018.
        41. Australian Medical Association (AMA), Submission to Senate Community Affairs References Committee, Inquiry into the My
            Health Record system, [Submission no. 79], 14 September 2018, Attachment A, p. 2; P Hayes, ‘Federal Government agrees to
            toughen privacy provisions in My Health Record legislation’, newsGP, 26 July 2018.
        42. Council of Australian Governments Health Council, Communiqué, 2 August 2018, p. 5.
        43. G Hunt (Minister for Health), My Health Record opt-out period extended, media release, 10 August 2018.
        44. Australia, Senate, Journals, 108, 2017-18, 15 August 2018, pp. 3471-3472.



My Health Records Amendment (Strengthening Privacy) Bill 2018                                                                                                                  10
Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest.
Senate Community Affairs Legislation Committee
        On 23 August 2018, on the recommendation of the Senate Selection of Bills Committee, the
        Senate referred the provisions of the Bill to the Senate Community Affairs Legislation Committee
        (Legislation Committee) for inquiry and report by 8 October 2018.45 On 19 September 2018, the
        Senate granted an extension of time for reporting until 12 October 2018.46
        Further information regarding the inquiry is available on inquiry page. In particular, the inquiry
        page outlines the approach to the evidence received for the inquiry:
                  The Community Affairs Committees have agreed to share relevant evidence in the My Health Record
                  system inquiry and the inquiry into the My Health Records Amendment (Strengthening Privacy) Bill
                  2018. Only matters related to provisions of the Bill will be considered in the Legislation Committee
                  inquiry.

        The Legislation Committee tabled its report into the provisions of the Bill on 12 October 2018. In
        relation to the amendments of the Bill, the committee’s report stated:
                  The committee recognises the considerable expected benefits of the [My Health Record] system, and
                  that healthcare recipients' confidence in the privacy provisions of the system is vital in ensuring the
                  system's overall success. The committee commends the Bill's proposed amendments to sections 65, 69
                                                                                                    47
                  and 70 to the MHR Act to strengthen the privacy provisions of the MHR system.

        Additional comments were made by Labor senators who noted the broader concerns which had
        been raised with the My Health Record system and urged the Government to ‘heed Labor's call to
        suspend the opt-out rollout until all remaining concerns are addressed and public confidence in
        this important reform is restored’.48 Additional comments were also made by the Australian
        Greens senators who cautioned that the Bill ‘represent a minor improvement instead of the
        necessary solution’. They noted two specific issues. The first was ‘unanswered questions’
        regarding the potential access by law enforcement to backups and cache files. The second was
        their support for a proposal made by the University of Melbourne for a notification to the
        healthcare recipient if their information has been disclosed under the new process in the Bill. 49

        Senate Standing Committee for the Scrutiny of Bills
        The Senate Standing Committee for the Scrutiny of Bills had no comment on the Bill.50

        Policy position of non-government parties/independents
        Australian Labor Party (Labor)
        Labor representatives do not appear to have commented on the specific provisions of the Bill.
        While broadly supportive of an electronic health record system, Labor has expressed the view that
        the rollout of My Health Records should be suspended until privacy concerns with system are
        addressed.51 For example, on 15 August 2018, Ms Catherine King MP, the Shadow Minister for


        45. Australia, Senate, Journals, 113, 2017-18, 23 August 2018, p. 3607.
        46. Australia, Senate, Journals, 120, 2017-18, 19 September 2018, p. 3823.
        47. Senate Community Affairs Legislation Committee, My Health Records Amendment (Strengthening Privacy) Bill 2018
            [Provisions], 12 October 2018, p. 17.
        48. Ibid., p. 21.
        49. Ibid., p. 24.
        50. Senate Standing Committee for the Scrutiny of Bills, Scrutiny digest, 10, 2018, 12 September 2018, p. 10.
        51. H Belot, ‘My Health Record rollout should be suspended until potential flaws addressed, Bill Shorten says’, ABC News,
            25 July 2018.



My Health Records Amendment (Strengthening Privacy) Bill 2018                                                                                                                  11
Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest.
Health and Medicare, released a media release in relation to the Senate Community Affairs
        References Committee inquiry into the My Health Record system. It stated:
                  We remain deeply concerned that the Government's bungled rollout of the My Health Record opt-out
                  period has severely undermined public trust in this important reform…

                  Labor has long supported an electronic health record system. We believe it has the capacity to
                  revolutionise health care delivery, but we also recognise it needs a high degree of public support in
                  order to be successful.

                  While the Government has agreed to a number of changes demanded by Labor and doctors' groups,
                  including an extension of the opt-out period and a new public information campaign, more needs to be
                         52
                  done…

        While Labor did not oppose the passage of the Bill in the House of Representatives, it
        unsuccessfully sought to amend the motion passing the Bill to include ‘the House calls on the
        Government to suspend the “opt out” phase of the My Health Record rollout until other privacy
        and security concerns are addressed’.53

        Australian Greens
        Prior to the introduction of the Bill, on 27 July 2018, the Australian Greens announced they would
        pursue a Private Senators Bill ‘to ensure that any access to my health record data by law
        enforcement would require a warrant’. The Australian Greens leader, Senator Richard Di Natale
        stated that ‘[i]f you want to access someone’s medical records, you should have to have a warrant,
        simple as that’. 54 Australian Greens representatives do not appear to have commented on the Bill.

        Centre Alliance
        Prior to the introduction of the Bill, on 25 July 2018, Centre Alliance Senator Rex Patrick was
        reported as stating ‘Centre Alliance will write to the health minister urging him to introduce
        legislation to ensure people’s health data is properly protected’.55
        In her second reading speech in the House of Representatives, Centre Alliance’s Rebecca Sharkie
        MP, supported the Bill but noted that it was ‘qualified support’. She outlined a number of broader
        privacy and security concerns with the My Health Record system and indicated that she remained
        open to amendments ‘following the release of the [Senate] committee report’.56

        Australian Conservatives
        Prior to the introduction of the Bill, on 25 July 2018, Australian Conservative Senator Cory Bernardi
        was reported as stating that he was ‘open to all suggestions that will enhance individual privacy,
        the security of data, and to protect people from the intrusion of big government, whether that be
        from law enforcement or other government departments’.57




        52. C King (Shadow Minister for Health and Medicare), Senate adopts Labor’s Plan for an inquiry into My Health Record, media
            release, 15 August 2018, p. 1.
        53. Australia, House of Representatives, Votes and proceedings, 139, 2017–18, 19 September 2018, pp. 1846–47.
        54. R Di Natale, The Greens will move to enshrine warrant requirement in MyHealth: Di Natale, media release, 27 July 2018.
        55. P Karp, ‘My Health Record: AMA says it will do “whatever it takes” to ensure privacy’, The Guardian, 25 July 2018.
        56. R Sharkie, ‘Second reading speech: My Health Records Amendment (Strengthening Privacy) Bill 2018’, House of
            Representatives, Debates, (proof), 18 September 2018, p. 59.
        57. Ibid.



My Health Records Amendment (Strengthening Privacy) Bill 2018                                                                                                                  12
Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest.
Senator Tim Storer
        Prior to the introduction of the Bill, on 3 August 2018, independent Senator Tim Storer indicated
        he would be opting out of the My Health Record system. His media release stated:
                  My Health Record as currently legislated appears more of a law enforcement measure than a health
                  care initiative. The changes that Health Minister Greg Hunt has announced do not address the faults in
                  My Health Record’s design. I have serious concerns that the lack of protections for privacy and security
                  for sensitive health information remain…

                  At the very least, My Health Record must be suspended, pending a full parliamentary enquiry with an
                                                                              58
                  emphasis on evidence from qualified cyber-security experts.

        Position of major interest groups
        Persons and organisations with an interest in the My Health Record system have provided
        submissions and evidence to the Senate Community Affairs Committee inquiries into the Bill and
        the My Health Record system. While a range of concerns regarding the privacy and security of the
        My Health Record system have been raised, the amendments of the Bill were largely supported by
        the persons and organisations who contributed to the inquiries.59 For example, the Australian
        Information Commissioner and Privacy Commissioner, Angelene Falk, welcomed the changes:
                  The community in general is seeking greater clarity as to how their personal information is collected and
                  used, including by any third parties. In relation to the My Health Record this is manifested, for example,
                  in relation to concern as to access to the record by third parties such as law enforcement. In that regard,
                  I welcome the government's decision to introduce the My Health Records Amendment (Strengthening
                  Privacy) Bill to provide stronger safeguards regarding access to the record. I also welcome the bill's
                  intention to allow the permanent deletion of My Health Record records on request. This is an important
                  mitigation, which allows individuals to decide at a later date that they do not wish to have a My Health
                           60
                  Record.

        The Consumer Health Forum of Australia also commended the ‘government's response to
        concerns about release to law enforcement and other agencies without a warrant’:
                  The community expects due diligence and vigilance by legislators and the system operator when it
                  comes to privacy safeguards and accountability and transparency in those safeguards … We advocated
                  for those legislative changes to ensure that no My Health Record could be released to police for any
                  purpose without a court order. We also support measures and steps to change the legislation to ensure
                  that if any Australian wishes to cancel their record, they can do so permanently with the record deleted
                                     61
                  from the system.

        The AMA considered that, if the Bill were passed, ‘the remaining circumstances where the
        legislation allow[s] disclosure strike an appropriate balance’ between protection of patient’s
        privacy and allowing access in appropriate circumstances. It noted:


        58. T Storer, I am opting-out of My Health Record, media release, 3 August 2018, pp. 1–2.
        59. For example, M Bailes (Law Council of Australia), Evidence to Senate Community Affairs References Committee, Inquiry into
            the My Health Record system, 17 September 2018, p. 26; Australian Association of Social Workers, Submission to Senate
            Community Affairs References Committee, Inquiry into the My Health Record system, [Submission no. 49], September 2018,
            p. 3; Australian Human Rights Commission, Submission to Senate Community Affairs Legislation Committee, Inquiry into the
            My Health Records Amendment (Strengthening Privacy) Bill 2018, [Submission no. 11], 14 September 2018, p. 1; Australian
            Nursing and Midwifery Federation, Submission to Senate Community Affairs Legislation Committee, Inquiry into the My
            Health Records Amendment (Strengthening Privacy) Bill 2018, [Submission no. 25], pp. 7–8.
        60. A Falk, Evidence to Senate Community Affairs References Committee, Inquiry into the My Health Record system,
            17 September 2018, p. 33.
        61. L Wells (Consumers Health Forum of Australia), Evidence to Senate Community Affairs References Committee, Inquiry into the
            My Health Record system, 17 September 2018, p. 6.



My Health Records Amendment (Strengthening Privacy) Bill 2018                                                                                                                  13
Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest.
These controls are substantially tighter than the controls that apply under the Privacy Act 1988 (Cth) to
                  patient data stored in the clinician’s own patient records. They also impose greater restrictions on the
                  government’s and courts’ powers to require production than apply to data held by the patient outside
                                                  62
                  the My Health Record system.

        In its submission, the ADHA reiterated that it has ‘have never received a request for information
        for law enforcement purposes and have not released any information for such purposes’ and
        noted that it has an operational policy that it would not release any documents without a court or
        similar order.63 The ADHA described the proposed amendments as acknowledging ‘the evolving
        expectations of the community since the legislation was first debated and approved in Parliament
        in 2012’. It stated that the ‘changes also reflect the strong and positive advocacy of the clinical and
        consumer peak bodies who have been central in advocating for these issues to be addressed in the
        legislation’.64
        However, the Australian Privacy Foundation raised concerns with proposed amendments:
                  -     The claim that there is no additional cost. This is only true if the real problem of deleting inactive
                        records is not properly addressed…

                  -     The presumption that people will not want to delete individual documents from the health record

                  -     The reality that the government can change the legislation at any time in the future.

                  -     The reality that My Health Data will flow into other systems that have nothing like the safeguards
                        built into My Health Records and where the prohibitions and authorisations of do not apply, as per
                        Section 71 of the legislation…

                  -     The government treats itself as a special case, for which they have provided no justification.

                  -     The government needs to treat itself as a third party in the patient/health provider relationship.

                  The proposed amendments seem to reinstate judicial review, but this has to be read in the context of
                  the rest of the legislation. Just as we were reassured about third-party access provisions in the
                  legislation, we need to look at what other hidden landmines there are. Only a full review of the
                                                                                                             65
                  legislation and all of its possible implications now and in the future will be acceptable.

        The Women’s Legal Service NSW also noted that, while the amendments of the Bill provide for a
        mechanism to permanently delete records from the My Health Records system, ‘the deletion of
        records is a complex problem’. It stated:
                  The My Health Record database is designed for retention not deletion. Consequently, even if data is
                  deleted from the database, there is a possibility that it may still be present in the backup ‘snapshots’.
                  Some of these backups may be retained for extended periods and accessible to a small group of IT
                  administrators. This radically weakens the effectiveness of the mechanism afforded in the legislation to
                                                                                                                 66
                  delete health records, consequently putting private health information at risk of exposure.




        62. AMA, Submission to Senate Community Affairs References Committee, Inquiry into the My Health Record system, op. cit., p. 2.
        63. ADHA, Submission to Senate Community Affairs References Committee, Inquiry into the My Health Record system,
            14 September 2018, [Submission no. 31], p. 10.
        64. Ibid.
        65. Australian Privacy Foundation, Submission to Senate Community Affairs References Committee, Inquiry into the My Health
            Record system, [Submission no. 1], 5 September 2018, p. 18.
        66. Women’s Legal Service NSW, Submission to Senate Community Affairs References Committee, Inquiry into the My Health
            Record system, [Submission no. 19], 14 September 2018, p. 3.



My Health Records Amendment (Strengthening Privacy) Bill 2018                                                                                                                  14
Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest.
The Scarlett Alliance (the Australian Sex Workers Association) welcomed the changes in the Bill but
        argued that these changes ‘did not go far enough in ensuring the community privacy concerns
        about [the My Health Record system] are addressed’.67 Its recommendations included:
        • the My Health Record return to an opt-in system
        • privacy controls should be set by default to the highest privacy and security settings
        • the healthcare recipients should be notified each time their data will be used for a secondary
          purpose, be informed of how the information will be used and agree to participate and
        • healthcare recipients should have the ability to permanently delete individual records without
          the necessity of cancelling their registration in order to do so.68

        Financial implications
        The Explanatory Memorandum states that there will be no net cost to implement the changes
        made by the Bill.69

        Statement of Compatibility with Human Rights
        As required under Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011 (Cth), the
        Government has assessed the Bill’s compatibility with the human rights and freedoms recognised
        or declared in the international instruments listed in section 3 of that Act. The Government
        considers that the Bill is compatible.70

        Parliamentary Joint Committee on Human Rights
        The Parliamentary Joint Committee on Human Rights listed the Bill as one which did not raise
        human rights concerns.71

        Key issues and provisions
        Destruction of records
        The simplified outline of the MHR Act (in section 4) includes that the System Operator is
        responsible for operating the National Repositories Service which stores key records that form
        part of a healthcare recipient’s My Health Record. Section 17 deals with the retention of records
        uploaded to the National Repositories Service. It requires that the System Operator ensures that
        the records are retained for set periods where:
        • the record is uploaded to the National Repositories Service and
        • the record includes health information included in the My Health Record of a healthcare
          recipient.
        Items 2 to 6 amend section 17 to reflect changes regarding the destruction of records. Item 2
        inserts ‘and destruction’ to the title of section 17. Items 3 and 4 insert consequential subheadings
        into section 17.
        Paragraph 17(2)(b) sets out the periods the System Operator must ensure a record is retained.
        These are:

        67. Scarlet Alliance, Submission to Senate Community Affairs Legislation Committee, Inquiry into the My Health Records
            Amendment (Strengthening Privacy) Bill 2018, [Submission no. 20], 29 August 2018, p. 2.
        68. Ibid., pp. 2–4.
        69. Explanatory Memorandum, op. cit., p. 3.
        70. The Statement of Compatibility with Human Rights can be found at page 4 of the Explanatory Memorandum to the Bill.
        71. Parliamentary Joint Committee on Human Rights, Human rights scrutiny report, 9, 2018, 11 September 2018, p. 22.



My Health Records Amendment (Strengthening Privacy) Bill 2018                                                                                                                  15
Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest.
(i)         30 years after the death of the healthcare recipient or
              (ii)        if the System Operator does not know the date of death of the healthcare recipient—
                          130 years after the date of birth of the healthcare recipient.
        Item 5 inserts a third option proposed subparagraph 17(2)(b)(iii). This provides that ‘if, under
        subsection (3), the record is required to be destroyed because of the cancellation of registration of
        the healthcare recipient—when the System Operator is required to destroy the record under
        subsection (4)’.
        Item 6 inserts proposed subsections 17(3) and 17(4) which deal with the destruction of records
        after cancellation on request.
        Currently, subsection 51(1) of the MHR Act provides that the System Operator must decide to
        cancel or suspend the registration of a healthcare recipient or other entity if requested in writing
        by a healthcare recipient or other entity. Proposed subsection 17(3) will additionally require the
        System Operator to destroy any record that includes health information if the System Operator is
        required to cancel the registration of a healthcare recipient under subsection 51(1).
        However, some minimal information is not required to be destroyed:
        • the name and healthcare identifier of the healthcare recipient
        • the name and healthcare identifier of the person who requested the cancellation, if different
          from the healthcare recipient and
        • the day the cancellation decision takes effect.72
        The Explanatory Memorandum notes this enables the System Operator to retain some ‘identifying
        and administrative information’. It states:
                    This is not health information. Retaining this information is necessary for the System Operator to fulfil
                    its functions and, among other things, assure healthcare recipients that their request to cancel their
                                                                                      73
                    registration in the My Health Record system has been actioned.

        Collection, use and disclosure
        Section 63 authorises the collection, use and disclosure of health information for the management
        of the My Health Record system, including in response to requests by the System Operator. The
        note under section 63 provides examples of sections of the MHR Act under which the System
        Operator may make a request. Item 7 inserts a reference to proposed section 69A (to be inserted
        by item 12) to this note.
        Section 65 deals with the collection, use and disclosure of health information authorised by law. It
        provides that, subject to disclosure to orders by a court or tribunals (dealt with by section 69),
        participants in the My Health Record System are authorised to ‘collect, use and disclose the health
        information included in a healthcare recipient’s My Health Record ‘if the collection, use or
        disclosure is required or authorised by Commonwealth, State or Territory law’. Items 8, 9, 10 will
        amend section 65 to limit the laws which could allow access to health information contained in the
        My Health Record system.



        72. Subsection 51(7) provides for when cancellation or suspension decision takes effect. This is either when the decision is made
            or ‘if the decision is made at the request of the healthcare recipient or other entity, and the request states that the healthcare
            recipient or other entity wishes the cancellation or suspension to occur at a specified future time—at that future time’.
        73. Explanatory Memorandum, op. cit., p. 8.



My Health Records Amendment (Strengthening Privacy) Bill 2018                                                                                                                  16
Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest.
You can also read
Next part ... Cancel